SlideShare une entreprise Scribd logo

Malware Final Report

Télécharger en tant que DOCX, PDF
Z
Zachary Adams
1  sur  18
Running head: ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 1 The Microsoft Malware Protection Center Challenge: Analyzing Malware Samples’ Assembly and Function Zachary Adams Our Lady of the Lake University
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 2 Abstract The purpose of this paper is to analyze the first two samples of malware the Microsoft Malware Protection Center (MMPC) provided for their malware analysis challenge. Microsoft provided the first sample, but the instructions to get the second sample are hidden in the first sample. Proper analysis is needed to retrieve the second sample. Analyzing the samples involve disassembling the malware executables using IDA Pro and debugging them using OllyDbg. Screenshots of the process will be provided for each malware sample to illustrate the analysis process. For the first sample, there was little guidance on how to proceed. The analysis of the first sample will follow my own process and how solving the first sample leads into the second sample’s analysis. The second sample required answering some questions about the sample’s functionality, which I will detail the process of how I discovered the answers.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 3 Executive Summary The first sample of malware was a login program that required a username and password. The goal of the analysis of sample 1 is to gain access to the file that would give instructions on how to obtain sample 2. I was able to find all the usernames in the strings of the file and crack all but one of the passwords in the program, but I decided instead to patch the program to bypass the password checking function. As a result, I was able to log into the program and view the key.txt file that would give instructions on how to obtain sample 2. Sample 2 appeared to be a pump controller program that could be behind the login screen of sample 1. In sample 2, I was given five questions to answer about the sample: 1. What are the commands accepted by the program? 2. What is the logic of the loop in the program? 3. How does the temperature model in the program work? 4. What are the vulnerabilities in the program? Can you create a proof of concept and exploit them? What is the impact? I was able to answer each of the questions in my analysis, which I will detail in the following pages of my report.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 4 Analyzing Sample 1: Login Program Figure 1 (Login Screen) When first opening sample 1, I was greeted with a message to supply a username as seen in Figure 1. Trying my own username, I discovered that I was not able to login. At this point, I could take two approaches to bypassing this login: 1) Find the passwords and crack them, or 2) create a patched version of the sample that would skip the password check function. First, I looked into the strings of sample 1. I found several usernames and MD5 password hashes in Table 1 on the next page. I was able to crack all but one of them during my analysis. Also in the strings of the program was a filename called “key.txt.” This particular file is protected by a permission that is only granted to certain users.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 5 Username MD5 Hash Password jroam e10adc3949ba59abbe56e057f20f883e 123456 todgrad 5f4dcc3b5aa765d61d8327deb882cf99 password sammie eb31870669f13fd8444c2bc918375f09 heaven wiltil 5dac4f26f11849cc71d129edcc55283b 1london reamik 7ab41869306b693f2d9d4f5fa793f0f0 superman99 test1234 bd04dfaad15639a6aa4314d63ce02f9a [Unknown] reagmc 73023d8e8351392686261f2afce5ebad abc541 carlti 5fcfd41e547a12215b173ff47fdd3739 trustno1 rogid 6081d0da1ee073e537b933674e66ea4a blah1blah admin 1e88a70ee1ccb2a25f63c8e5b7761702 msftflag!#37 Table 1 (Login Credentials) The most interesting credential of this list is the “admin.” Since the contents of the file are only allowed to be viewed by certain users, “admin” must be the one to have the permission to view key.txt. I could have used the “admin” login to access the file, but I decided to try and crack the program so that the password checking function would be bypassed. Looking into the assembly in IDA Pro, I was able to identify the function in Figure 2.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 6 Figure 2 (Password checking function) Figure 4 (New Jump Location) I noticed that right before the program checks the entered password there is a conditional jump into the code block. Using OllyDbg, I set a breakpoint at that location and changed the assembly from a conditional jump to an unconditional jump that completely skipped the password checking function. The edited code is shown in Figure 3 and the new jump location in Figure 4. After completing the edit, the patch program granted me access to the file without a password, as shown in Figure 5. Figure 3 (Patched Code)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 7 Figure 6 (Key.txt) Figure 5 (Bypass successful) Finally granted access, I was able to view the content of the key.txt file. Inside it were instructions on how to obtain the second sample from Microsoft. Figure 6 shows the programs output from the key.txt file.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 8 Analyzing Sample 2: Pump Control Program Figure 7 (Sample 2 Start) Starting the program shows a short boot progress screen before showing a monitor interface. The “Workload” and “Temperature” are constantly fluctuating with the temperature increasing as the workload does, and depending on the temperature “Pump 1” and “Pump 2” are turn on. When the pumps are on, the temperature drops as well until it is low enough to where the pumps turn off. If the “Controller” is turned off, the pumps do not automatically turn on and the temperature will rise to around 120 degrees Celsius. The following sections of my analysis will attempt to answer the questions outline in the Executive Summary: 1. What are the commands that the program accept? The commands are stored in the program as strings in Figure 8. Looking into the strings, I noticed several commands that I can use to manipulate three objects in the program: Pump 1, Pump 2, and the Controller.
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 9 Figure 8 (Commands) All of these strings are located in the same function, which I renamed to “cmd_commands” in the rest of the following Figures. To confirm my findings, I entered a command to see if it worked. The results are shown in Figure 9. Figure 9 (Command Successful)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 10 2. What is the logic of the loop in the program? I discovered three loops that run concurrently when the program is started. These loops are infinite and only stop when the program does, or have other special conditions which I will describe in the following paragraphs. Figure 10 (Loop 1)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 11 Figure 11 (Loop 2)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 12 Figure 12 (Loop 2 Continued)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 13 Figure 13 (Loop 3)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 14 Figure 14 (Loop 3 Continued)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 15 These loops perform several functions for the program and I will describe them one by one. In box 1.1 of Figure 10 on page 10, the function “generate_status_nums” is called. This function will print the values shown in the Workload and Temperature fields, and the status of Pump 1, Pump 2, and the Controller. The variables that define these fields are set in another loop. In box 1.2, the program calls the C function “_kbhit” which checks to see if a key was hit since the last time the loop ran. If the “Enter” was hit, the program creates a buffer that is 1023 bytes large as seen in box 2. This buffer is then taken to box 3 where it is passed into the “cmd_commands” function so that the program will perform the command entered. This function does not stop until the program ends, but there is a vulnerability that I will detail later. The second loop in Figures 11 and 12 on pages 11 and 12 is a complex function that uses a complicated math equation to calculate the ever changing numbers in the Workload and Temperature fields of the program. While I cannot abstract the exact equation from the assembly, I can describe what the function does. In box 1, the “temperature” variable is copied into the “xmm0” so that the value can be manipulated by the equation later on in the function. Below that, the memory address for the C function “rand” is passed into the ESI register for future calls in the function. “Rand” returns a pseudo-random number to EAX. In Figure 12 in boxes 4 through 7, the value for “cpu_load” is calculated and so that it can be used to determine the value for the “temperature” variable right after. In box 8, the value for “pump_status” is copied to EAX. “Pump_status” can have either 0 for no pumps on, 1 for one pump on, or 2 for both pumps on. This value is used in the equation to determine the “temperature” value, which is set in box 9. 3. How does the temperature model in the program work? This loop answers question 3 as well as the last part of question 2. The last loop in Figures 13 and 14 on pages 13 and 14 monitors the “temperature” value and it turns the pumps on when the
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 16 value gets too high. In box 1.1, the function sets EBX to 40. Before continuing to box 1.2, the program checks to see of the Controller is off. If not, the program continues onto box 1.2 where “temperature” is compared to EBX, which still contains 40. If the temperature is higher than 40, Pump 1 is turned on in box 1.3. Usually this is enough for the loop to run once and it restarts. The next relevant section is boxes 3.1 and 3.2 where the temperature is compared to 30. If the temperature is less than 30, Pump 1 is turned off. This process is repeated in boxes 4.1-2 and 5.1- 2 where the temperature is compared to 40. If the temperature is higher, Pump 2 is turn on, or if lower than 40 is turned off. In box 6, the values for “temperature” and “pump_status” are saved in the ESI and EDI registers for use in the second loop that generates “temperature” value. 4. What are the vulnerabilities in the program? Can you create a proof of concept and exploit them? What is the impact? I discovered two vulnerabilities in sample 2. The first involves exploiting the command prompt history function provided by pressing the F7 key. By doing so, a dialog box appears on the screen that contains all the strings that have been entered during the session as shown in Figure 15 (F7 Command History)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 17 Figure 15. This can include login credentials in plaintext. In this case, the command history allows someone who is not familiar with the program to know what commands the program accepts if they were entered in before. This particular vulnerability is not one that can be mitigated because it is an issue with the OS. As far as I can tell, there is no way to disable the command history in Windows. Figure 16 (Buffer Overflow Opportunity) The other vulnerability I discovered was the potential for a buffer overflow. This occurs in the loop in Figure 10 that prints the text to the command prompt and monitors for “Enter” keystrokes. As seen in Figure 16, after the “Enter” key is presses, a buffer is created to capture Figure 17 (Overflow Result: Overheating)
ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 18 the input. This buffer is 1023 bytes and there is no mechanism to check if the user entered more than what the buffer can hold. As a result, I was able to break the loop without crashing the program and no more commands can be entered without restarting. If this program were in use, an attacker could issue the “Controller Off” command and break the loop with catastrophic effect. With the Controller off, the pumps cannot turn on to reduce the temperature and it skyrockets as seen in Figure 17. This is a rather crude way to use the exploit and I am aware that it can be used for remote code execution. However, I do not have the expertise to exploit it myself.

Recommandé

Salesforce connector Example
Salesforce connector ExampleSalesforce connector Example
Salesforce connector Exampleprudhvivreddy
 
Excel Vba Basic Tutorial 1
Excel Vba Basic Tutorial 1Excel Vba Basic Tutorial 1
Excel Vba Basic Tutorial 1rupeshkanu
 
Calendrier Effinity Mai
Calendrier Effinity MaiCalendrier Effinity Mai
Calendrier Effinity MaiEffinity
 
MyDestiny
MyDestinyMyDestiny
MyDestinyVisualBee.com
 
Pm first presentation pt3
Pm first presentation pt3Pm first presentation pt3
Pm first presentation pt3carlobisio
 
CV
CVCV
CVSuhas Kulkarni
 
Jelly fashion 2012 led shoelaces - price list with brand, without unit price
Jelly fashion 2012 led shoelaces - price list with brand, without unit priceJelly fashion 2012 led shoelaces - price list with brand, without unit price
Jelly fashion 2012 led shoelaces - price list with brand, without unit priceJMJ International Co.,Ltd
 
Facebook sample page jose marti ppt with video link
Facebook sample page jose marti ppt with video linkFacebook sample page jose marti ppt with video link
Facebook sample page jose marti ppt with video linkamontera
 

Recommandé

Salesforce connector Example
Salesforce connector ExampleSalesforce connector Example
Salesforce connector Exampleprudhvivreddy
 
Excel Vba Basic Tutorial 1
Excel Vba Basic Tutorial 1Excel Vba Basic Tutorial 1
Excel Vba Basic Tutorial 1rupeshkanu
 
Calendrier Effinity Mai
Calendrier Effinity MaiCalendrier Effinity Mai
Calendrier Effinity MaiEffinity
 
MyDestiny
MyDestinyMyDestiny
MyDestinyVisualBee.com
 
Pm first presentation pt3
Pm first presentation pt3Pm first presentation pt3
Pm first presentation pt3carlobisio
 
CV
CVCV
CVSuhas Kulkarni
 
Jelly fashion 2012 led shoelaces - price list with brand, without unit price
Jelly fashion 2012 led shoelaces - price list with brand, without unit priceJelly fashion 2012 led shoelaces - price list with brand, without unit price
Jelly fashion 2012 led shoelaces - price list with brand, without unit priceJMJ International Co.,Ltd
 
Facebook sample page jose marti ppt with video link
Facebook sample page jose marti ppt with video linkFacebook sample page jose marti ppt with video link
Facebook sample page jose marti ppt with video linkamontera
 
Es ficcion pero fue real
Es ficcion pero fue realEs ficcion pero fue real
Es ficcion pero fue realSthefania Cobo
 
Needs of Virtual Team Members
Needs of Virtual Team MembersNeeds of Virtual Team Members
Needs of Virtual Team MembersCynthia Clay
 
WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?Effinity
 
10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio Wordpress10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio WordpressIñaki Lakarra
 
Cornwall
CornwallCornwall
CornwallCanh Ket
 
Fibre optique
Fibre optiqueFibre optique
Fibre optiqueFracarro France
 
Bahasa Mandarin
Bahasa MandarinBahasa Mandarin
Bahasa MandarinFathul Husnan
 
Farmacologia molecular
Farmacologia molecularFarmacologia molecular
Farmacologia molecularrick jonter
 
Back to School
Back to School Back to School
Back to School aallen04
 
11g Function Result Cache
11g Function Result Cache11g Function Result Cache
11g Function Result CacheJeffrey Kemp
 
Debugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programsDebugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programsPVS-Studio
 
Testing computer software
Testing computer softwareTesting computer software
Testing computer softwareJose Vergara Veas
 
micro proj4.V2odt
micro proj4.V2odtmicro proj4.V2odt
micro proj4.V2odtBruno Diaz
 
Lect 3-4 Zaheer Abbas
Lect 3-4 Zaheer AbbasLect 3-4 Zaheer Abbas
Lect 3-4 Zaheer AbbasInformation Technology Center
 
Maxbox starter
Maxbox starterMaxbox starter
Maxbox starterMax Kleiner
 
Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Wielbert Chouphen Collinson
 
S D D Program Development Tools
S D D Program Development ToolsS D D Program Development Tools
S D D Program Development Toolsgavhays
 
Tracking my face with matlab
Tracking my face with matlabTracking my face with matlab
Tracking my face with matlabGaspard Ggas
 
VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...PVS-Studio
 
Lewis jssap3 e_labman02
Lewis jssap3 e_labman02Lewis jssap3 e_labman02
Lewis jssap3 e_labman02auswhit
 
Assignment 2
Assignment 2Assignment 2
Assignment 2Conor Dorrian
 
Tracking my face with matlab ws word format
Tracking my face with matlab ws word formatTracking my face with matlab ws word format
Tracking my face with matlab ws word formatGaspard Ggas
 

Contenu connexe

En vedette

Es ficcion pero fue real
Es ficcion pero fue realEs ficcion pero fue real
Es ficcion pero fue realSthefania Cobo
 
Needs of Virtual Team Members
Needs of Virtual Team MembersNeeds of Virtual Team Members
Needs of Virtual Team MembersCynthia Clay
 
WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?Effinity
 
10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio Wordpress10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio WordpressIñaki Lakarra
 
Farmacologia molecular
Farmacologia molecularFarmacologia molecular
Farmacologia molecularrick jonter
 
Back to School
Back to School Back to School
Back to School aallen04
 

En vedette (9)

Es ficcion pero fue real
Es ficcion pero fue realEs ficcion pero fue real
Es ficcion pero fue real
 
Needs of Virtual Team Members
Needs of Virtual Team MembersNeeds of Virtual Team Members
Needs of Virtual Team Members
 
WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?WEBINAR / Comment développer les ventes de votre site e-commerce ?
WEBINAR / Comment développer les ventes de votre site e-commerce ?
 
10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio Wordpress10 Claves para mejorar el SEO de tu sitio Wordpress
10 Claves para mejorar el SEO de tu sitio Wordpress
 
Cornwall
CornwallCornwall
Cornwall
 
Fibre optique
Fibre optiqueFibre optique
Fibre optique
 
Bahasa Mandarin
Bahasa MandarinBahasa Mandarin
Bahasa Mandarin
 
Farmacologia molecular
Farmacologia molecularFarmacologia molecular
Farmacologia molecular
 
Back to School
Back to School Back to School
Back to School
 

Similaire à Malware Final Report

11g Function Result Cache
11g Function Result Cache11g Function Result Cache
11g Function Result CacheJeffrey Kemp
 
Debugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programsDebugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programsPVS-Studio
 
micro proj4.V2odt
micro proj4.V2odtmicro proj4.V2odt
micro proj4.V2odtBruno Diaz
 
S D D Program Development Tools
S D D Program Development ToolsS D D Program Development Tools
S D D Program Development Toolsgavhays
 
Tracking my face with matlab
Tracking my face with matlabTracking my face with matlab
Tracking my face with matlabGaspard Ggas
 
VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...PVS-Studio
 
Lewis jssap3 e_labman02
Lewis jssap3 e_labman02Lewis jssap3 e_labman02
Lewis jssap3 e_labman02auswhit
 
Tracking my face with matlab ws word format
Tracking my face with matlab ws word formatTracking my face with matlab ws word format
Tracking my face with matlab ws word formatGaspard Ggas
 
ECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/SnaptutorialECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/Snaptutorialpinck2380
 
ECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/SnaptutorialECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/Snaptutorialpinck200
 
Android Application Development - Level 3
Android Application Development - Level 3Android Application Development - Level 3
Android Application Development - Level 3Isham Rashik
 
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docx
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docxOverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docx
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docxhoney690131
 
Ecet 360 Enthusiastic Study / snaptutorial.com
Ecet 360 Enthusiastic Study / snaptutorial.comEcet 360 Enthusiastic Study / snaptutorial.com
Ecet 360 Enthusiastic Study / snaptutorial.comStephenson34
 

Similaire à Malware Final Report (20)

11g Function Result Cache
11g Function Result Cache11g Function Result Cache
11g Function Result Cache
 
Debugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programsDebugging and optimization of multi-thread OpenMP-programs
Debugging and optimization of multi-thread OpenMP-programs
 
Testing computer software
Testing computer softwareTesting computer software
Testing computer software
 
micro proj4.V2odt
micro proj4.V2odtmicro proj4.V2odt
micro proj4.V2odt
 
Lect 3-4 Zaheer Abbas
Lect 3-4 Zaheer AbbasLect 3-4 Zaheer Abbas
Lect 3-4 Zaheer Abbas
 
Maxbox starter
Maxbox starterMaxbox starter
Maxbox starter
 
Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.Troubleshooting guide for apache 2.2 service.
Troubleshooting guide for apache 2.2 service.
 
S D D Program Development Tools
S D D Program Development ToolsS D D Program Development Tools
S D D Program Development Tools
 
Tracking my face with matlab
Tracking my face with matlabTracking my face with matlab
Tracking my face with matlab
 
VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...VivaMP, system of detecting errors in the code of parallel C++ programs using...
VivaMP, system of detecting errors in the code of parallel C++ programs using...
 
Lewis jssap3 e_labman02
Lewis jssap3 e_labman02Lewis jssap3 e_labman02
Lewis jssap3 e_labman02
 
Assignment 2
Assignment 2Assignment 2
Assignment 2
 
Tracking my face with matlab ws word format
Tracking my face with matlab ws word formatTracking my face with matlab ws word format
Tracking my face with matlab ws word format
 
Function
FunctionFunction
Function
 
Conditional Statements
Conditional StatementsConditional Statements
Conditional Statements
 
ECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/SnaptutorialECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/Snaptutorial
 
ECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/SnaptutorialECET 360 help A Guide to career/Snaptutorial
ECET 360 help A Guide to career/Snaptutorial
 
Android Application Development - Level 3
Android Application Development - Level 3Android Application Development - Level 3
Android Application Development - Level 3
 
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docx
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docxOverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docx
OverviewAssignment 1 Hypothetical Machine SimulatorCSci 43.docx
 
Ecet 360 Enthusiastic Study / snaptutorial.com
Ecet 360 Enthusiastic Study / snaptutorial.comEcet 360 Enthusiastic Study / snaptutorial.com
Ecet 360 Enthusiastic Study / snaptutorial.com
 

Malware Final Report

  • 1. Running head: ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 1 The Microsoft Malware Protection Center Challenge: Analyzing Malware Samples’ Assembly and Function Zachary Adams Our Lady of the Lake University
  • 2. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 2 Abstract The purpose of this paper is to analyze the first two samples of malware the Microsoft Malware Protection Center (MMPC) provided for their malware analysis challenge. Microsoft provided the first sample, but the instructions to get the second sample are hidden in the first sample. Proper analysis is needed to retrieve the second sample. Analyzing the samples involve disassembling the malware executables using IDA Pro and debugging them using OllyDbg. Screenshots of the process will be provided for each malware sample to illustrate the analysis process. For the first sample, there was little guidance on how to proceed. The analysis of the first sample will follow my own process and how solving the first sample leads into the second sample’s analysis. The second sample required answering some questions about the sample’s functionality, which I will detail the process of how I discovered the answers.
  • 3. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 3 Executive Summary The first sample of malware was a login program that required a username and password. The goal of the analysis of sample 1 is to gain access to the file that would give instructions on how to obtain sample 2. I was able to find all the usernames in the strings of the file and crack all but one of the passwords in the program, but I decided instead to patch the program to bypass the password checking function. As a result, I was able to log into the program and view the key.txt file that would give instructions on how to obtain sample 2. Sample 2 appeared to be a pump controller program that could be behind the login screen of sample 1. In sample 2, I was given five questions to answer about the sample: 1. What are the commands accepted by the program? 2. What is the logic of the loop in the program? 3. How does the temperature model in the program work? 4. What are the vulnerabilities in the program? Can you create a proof of concept and exploit them? What is the impact? I was able to answer each of the questions in my analysis, which I will detail in the following pages of my report.
  • 4. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 4 Analyzing Sample 1: Login Program Figure 1 (Login Screen) When first opening sample 1, I was greeted with a message to supply a username as seen in Figure 1. Trying my own username, I discovered that I was not able to login. At this point, I could take two approaches to bypassing this login: 1) Find the passwords and crack them, or 2) create a patched version of the sample that would skip the password check function. First, I looked into the strings of sample 1. I found several usernames and MD5 password hashes in Table 1 on the next page. I was able to crack all but one of them during my analysis. Also in the strings of the program was a filename called “key.txt.” This particular file is protected by a permission that is only granted to certain users.
  • 5. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 5 Username MD5 Hash Password jroam e10adc3949ba59abbe56e057f20f883e 123456 todgrad 5f4dcc3b5aa765d61d8327deb882cf99 password sammie eb31870669f13fd8444c2bc918375f09 heaven wiltil 5dac4f26f11849cc71d129edcc55283b 1london reamik 7ab41869306b693f2d9d4f5fa793f0f0 superman99 test1234 bd04dfaad15639a6aa4314d63ce02f9a [Unknown] reagmc 73023d8e8351392686261f2afce5ebad abc541 carlti 5fcfd41e547a12215b173ff47fdd3739 trustno1 rogid 6081d0da1ee073e537b933674e66ea4a blah1blah admin 1e88a70ee1ccb2a25f63c8e5b7761702 msftflag!#37 Table 1 (Login Credentials) The most interesting credential of this list is the “admin.” Since the contents of the file are only allowed to be viewed by certain users, “admin” must be the one to have the permission to view key.txt. I could have used the “admin” login to access the file, but I decided to try and crack the program so that the password checking function would be bypassed. Looking into the assembly in IDA Pro, I was able to identify the function in Figure 2.
  • 6. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 6 Figure 2 (Password checking function) Figure 4 (New Jump Location) I noticed that right before the program checks the entered password there is a conditional jump into the code block. Using OllyDbg, I set a breakpoint at that location and changed the assembly from a conditional jump to an unconditional jump that completely skipped the password checking function. The edited code is shown in Figure 3 and the new jump location in Figure 4. After completing the edit, the patch program granted me access to the file without a password, as shown in Figure 5. Figure 3 (Patched Code)
  • 7. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 7 Figure 6 (Key.txt) Figure 5 (Bypass successful) Finally granted access, I was able to view the content of the key.txt file. Inside it were instructions on how to obtain the second sample from Microsoft. Figure 6 shows the programs output from the key.txt file.
  • 8. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 8 Analyzing Sample 2: Pump Control Program Figure 7 (Sample 2 Start) Starting the program shows a short boot progress screen before showing a monitor interface. The “Workload” and “Temperature” are constantly fluctuating with the temperature increasing as the workload does, and depending on the temperature “Pump 1” and “Pump 2” are turn on. When the pumps are on, the temperature drops as well until it is low enough to where the pumps turn off. If the “Controller” is turned off, the pumps do not automatically turn on and the temperature will rise to around 120 degrees Celsius. The following sections of my analysis will attempt to answer the questions outline in the Executive Summary: 1. What are the commands that the program accept? The commands are stored in the program as strings in Figure 8. Looking into the strings, I noticed several commands that I can use to manipulate three objects in the program: Pump 1, Pump 2, and the Controller.
  • 9. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 9 Figure 8 (Commands) All of these strings are located in the same function, which I renamed to “cmd_commands” in the rest of the following Figures. To confirm my findings, I entered a command to see if it worked. The results are shown in Figure 9. Figure 9 (Command Successful)
  • 10. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 10 2. What is the logic of the loop in the program? I discovered three loops that run concurrently when the program is started. These loops are infinite and only stop when the program does, or have other special conditions which I will describe in the following paragraphs. Figure 10 (Loop 1)
  • 11. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 11 Figure 11 (Loop 2)
  • 12. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 12 Figure 12 (Loop 2 Continued)
  • 13. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 13 Figure 13 (Loop 3)
  • 14. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 14 Figure 14 (Loop 3 Continued)
  • 15. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 15 These loops perform several functions for the program and I will describe them one by one. In box 1.1 of Figure 10 on page 10, the function “generate_status_nums” is called. This function will print the values shown in the Workload and Temperature fields, and the status of Pump 1, Pump 2, and the Controller. The variables that define these fields are set in another loop. In box 1.2, the program calls the C function “_kbhit” which checks to see if a key was hit since the last time the loop ran. If the “Enter” was hit, the program creates a buffer that is 1023 bytes large as seen in box 2. This buffer is then taken to box 3 where it is passed into the “cmd_commands” function so that the program will perform the command entered. This function does not stop until the program ends, but there is a vulnerability that I will detail later. The second loop in Figures 11 and 12 on pages 11 and 12 is a complex function that uses a complicated math equation to calculate the ever changing numbers in the Workload and Temperature fields of the program. While I cannot abstract the exact equation from the assembly, I can describe what the function does. In box 1, the “temperature” variable is copied into the “xmm0” so that the value can be manipulated by the equation later on in the function. Below that, the memory address for the C function “rand” is passed into the ESI register for future calls in the function. “Rand” returns a pseudo-random number to EAX. In Figure 12 in boxes 4 through 7, the value for “cpu_load” is calculated and so that it can be used to determine the value for the “temperature” variable right after. In box 8, the value for “pump_status” is copied to EAX. “Pump_status” can have either 0 for no pumps on, 1 for one pump on, or 2 for both pumps on. This value is used in the equation to determine the “temperature” value, which is set in box 9. 3. How does the temperature model in the program work? This loop answers question 3 as well as the last part of question 2. The last loop in Figures 13 and 14 on pages 13 and 14 monitors the “temperature” value and it turns the pumps on when the
  • 16. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 16 value gets too high. In box 1.1, the function sets EBX to 40. Before continuing to box 1.2, the program checks to see of the Controller is off. If not, the program continues onto box 1.2 where “temperature” is compared to EBX, which still contains 40. If the temperature is higher than 40, Pump 1 is turned on in box 1.3. Usually this is enough for the loop to run once and it restarts. The next relevant section is boxes 3.1 and 3.2 where the temperature is compared to 30. If the temperature is less than 30, Pump 1 is turned off. This process is repeated in boxes 4.1-2 and 5.1- 2 where the temperature is compared to 40. If the temperature is higher, Pump 2 is turn on, or if lower than 40 is turned off. In box 6, the values for “temperature” and “pump_status” are saved in the ESI and EDI registers for use in the second loop that generates “temperature” value. 4. What are the vulnerabilities in the program? Can you create a proof of concept and exploit them? What is the impact? I discovered two vulnerabilities in sample 2. The first involves exploiting the command prompt history function provided by pressing the F7 key. By doing so, a dialog box appears on the screen that contains all the strings that have been entered during the session as shown in Figure 15 (F7 Command History)
  • 17. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 17 Figure 15. This can include login credentials in plaintext. In this case, the command history allows someone who is not familiar with the program to know what commands the program accepts if they were entered in before. This particular vulnerability is not one that can be mitigated because it is an issue with the OS. As far as I can tell, there is no way to disable the command history in Windows. Figure 16 (Buffer Overflow Opportunity) The other vulnerability I discovered was the potential for a buffer overflow. This occurs in the loop in Figure 10 that prints the text to the command prompt and monitors for “Enter” keystrokes. As seen in Figure 16, after the “Enter” key is presses, a buffer is created to capture Figure 17 (Overflow Result: Overheating)
  • 18. ANALYZING MALWARE SAMPLES’ ASSEMBLY AND FUNCTION 18 the input. This buffer is 1023 bytes and there is no mechanism to check if the user entered more than what the buffer can hold. As a result, I was able to break the loop without crashing the program and no more commands can be entered without restarting. If this program were in use, an attacker could issue the “Controller Off” command and break the loop with catastrophic effect. With the Controller off, the pumps cannot turn on to reduce the temperature and it skyrockets as seen in Figure 17. This is a rather crude way to use the exploit and I am aware that it can be used for remote code execution. However, I do not have the expertise to exploit it myself.